Address #394 review: drop dead gh-aw step and stale maintenance workflow

[jonathanpeppers]

Follow-up to the review comment on #394 (discussion_r3493138136) pointing out that actions-lock.json no longer pinned the gh-aw-actions/setup-cli SHAs still referenced by two workflows. Rather than re-adding the pins, this PR removes the actual usages so the lock stays minimal and truthful.

Changes

• Drop the Install gh-aw extension step from .github/workflows/copilot-setup-steps.yml. It was added in Add /review agentic workflow for android-tools-reviewer #346 back when the reviewer was a Copilot CLI skill that shelled out to gh api. The reviewer is now a self-contained agentic workflow triggered by /review, and the Copilot coding agent itself never invokes gh aw, so the step is dead weight.
• Recompile android-tools-reviewer.md with gh-aw v0.81.6 (was v0.79.8). Bumps github/gh-aw-actions/setup to v0.81.6 in actions-lock.json and the regenerated reviewer lock workflow.
• Delete .github/workflows/agentics-maintenance.yml. v0.81.6 no longer emits this sibling maintenance workflow for this repo (we don't use the expires safe-output field that triggered its generation), and recompile confirms it does not come back. 685 lines of generated boilerplate gone.
• Bump validate-pat-pool.yml to the matching v0.81.6 setup SHA so it stays in sync with the lock.

Net effect: actions-lock.json once again accurately reflects every gh-aw action used in the repo, with no setup-cli references anywhere.

Validation

• gh aw compile .github/workflows/android-tools-reviewer.md --schedule-seed dotnet/android-tools --approve (clean, 0 errors / 0 warnings, does not regenerate the maintenance workflow)
• All remaining workflow files grep-clean for setup-cli

[jonathanpeppers]

/review

[github-actions]

✅ Android Tools PR Reviewer completed successfully!

[Copilot]

Pull request overview

This PR cleans up gh-aw workflow usage so .github/aw/actions-lock.json stays accurate by removing dead setup-cli usage, updating the gh-aw setup action pin to v0.81.6, and dropping an unneeded generated maintenance workflow.

Changes:

• Remove the unused github/gh-aw-actions/setup-cli step from copilot-setup-steps.yml.
• Update gh-aw setup action pinning (and the generated reviewer lock workflow) to v0.81.6.
• Delete the generated .github/workflows/agentics-maintenance.yml workflow which is no longer emitted/needed.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
.github/workflows/validate-pat-pool.yml	Bumps github/gh-aw-actions/setup to v0.81.6 for PAT pool validation workflow.
.github/workflows/copilot-setup-steps.yml	Drops dead setup-cli install step, keeping the workflow minimal.
.github/workflows/android-tools-reviewer.lock.yml	Regenerated lock workflow with v0.81.6 pins and updated runtime/script details.
.github/workflows/agentics-maintenance.yml	Removes stale generated maintenance workflow no longer produced/used.
.github/aw/actions-lock.json	Updates pinned gh-aw setup entry to v0.81.6 SHA to reflect actual usage.

Comments suppressed due to low confidence (1)

.github/workflows/validate-pat-pool.yml:29

• After bumping github/gh-aw-actions/setup to v0.81.6, this workflow still installs GitHub Copilot CLI 1.0.63. The generated android-tools-reviewer.lock.yml moved to 1.0.65, so keeping validate-pat-pool.yml on the older CLI makes the PAT validation behavior drift from what /review actually runs and can hide compatibility issues.

        uses: github/gh-aw-actions/setup@ba6380cc6e5be5d21677bebe04d52fb48e3abec7 # v0.81.6
        with:
          destination: ${{ runner.temp }}/gh-aw/actions

      - name: Install Copilot CLI

[github-actions]

✅ LGTM

Clean, well-scoped follow-up to #394. I formed an independent read of the diff before the description and reached the same conclusion: this is a faithful gh aw recompile plus dead-code removal, with no behavioral risk.

Verified independently:

• ✅ setup-cli is gone from the entire .github/ tree — nothing references it anymore, so dropping the unpinned setup-cli@v0.68.3 step from copilot-setup-steps.yml is safe. (The step was only needed back when the reviewer shelled out to gh aw; the agentic workflow doesn't.)
• ✅ The setup action SHA bump (v0.80.9 → v0.81.6, ba6380cc...) is internally consistent across actions-lock.json, validate-pat-pool.yml, and all six uses: in android-tools-reviewer.lock.yml.
• ✅ android-tools-reviewer.lock.yml metadata now reports "compiler_version":"v0.81.6"; the rest of that 144-line diff is just version-string env bumps (GH_AW_INFO_*, AWF v0.27.7→v0.27.11) and the new GH_AW_RUNTIME_FEATURES passthrough — all expected compiler output, no permission or trigger changes.
• ✅ Deleting agentics-maintenance.yml leaves zero dangling references anywhere in the tree.
• ✅ CI green (license/cla, copilot-pull-request-reviewer, copilot-setup-steps).

Issues: 0 errors · 0 warnings · 1 suggestion (inline)

The only thing the diff can't self-prove is that ba6380cc... is genuinely tag v0.81.6 upstream — flagged inline as a quick sanity check. Since it came straight out of gh aw compile --approve, I'd expect it's correct. Nice cleanup removing 685 lines of generated boilerplate while keeping the lock truthful.

Generated by Android Tools PR Reviewer for issue #395 · 141.5 AIC · ⌖ 26.2 AIC · ⊞ 6.5K
_{Comment /review to run again}

[github-actions]

🤖 💡 Security — Good: this bumps the pinned setup action to a full commit SHA (ba6380cc...) with a # v0.81.6 tag comment, and the same SHA is used consistently in .github/aw/actions-lock.json and the six setup@ uses in android-tools-reviewer.lock.yml. The one thing the lock can't self-verify is that ba6380cc... really is tag v0.81.6 of github/gh-aw-actions/setup upstream — worth a 30-second confirm, since a wrong-but-consistent SHA would still look clean here.

Rule: Pin third-party actions to a full commit SHA (Security: Process & Command Safety)